CVE-2023-31416: Elastic Cloud on Kubernetes (ECK) secret token configuration issue
First published: Thu Oct 26 2023(Updated: )
Secret token configuration is never applied when using ECK <2.8 with APM Server >=8.0. This could lead to anonymous requests to an APM Server being accepted and the data ingested into this APM deployment.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elastic Cloud On Kubernetes | <2.8 | |
| Elastic Apm Server | >=8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-31416.
What is the title of the vulnerability?
The title of the vulnerability is Elastic Cloud on Kubernetes (ECK) secret token configuration issue.
What is the description of the vulnerability?
The secret token configuration is never applied when using ECK <2.8 with APM Server >=8.0, which could lead to anonymous requests being accepted and data ingested into the APM deployment.
What is the affected software?
The affected software includes Elastic Cloud on Kubernetes (ECK) version up to exclusive 2.8 and APM Server version from inclusive 8.0.
What is the severity of the vulnerability?
The severity of the vulnerability is medium with a CVSS score of 5.3.
How can I fix the vulnerability?
To fix the vulnerability, update ECK to version 2.8 or higher, and update APM Server to a version lower than 8.0.
- collector/mitre-cve
- collector/nvd-api
- agent/references
- agent/title
- agent/severity
- agent/author
- agent/type
- vendor/elastic
- canonical/elastic elastic cloud on kubernetes
- canonical/elastic apm server
- version/elastic apm server/8.0